Fortinet Document Library

Version:

7.0.1
7.0.0
6.4.7

Version:

6.4.6
6.4.5
6.4.4

Version:

6.4.3
6.4.2
6.4.1

Version:

6.4.0

Table of Contents

Administration Guide

7.0.1
7.0.1
7.0.0
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
Download PDF
Copy Link

Default automation stitches

The following default automation stitches are included in FortiOS:

  • Compromised Host Quarantine
  • Incoming Webhook Quarantine
  • HA Failover
  • Network Down
  • Reboot
  • FortiAnalyzer Connection Down
  • License Expired Notification
  • Security Rating Notification

To view and edit the automation stitches in the GUI, go to Security Fabric > Automation.

CLI configurations

Compromised Host Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

FortiAnalyzer Connection Down

config system automation-action

edit "FortiAnalyzer Connection Down_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_fortiexplorer-notification"

next

end

Network Down

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA Failover

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Incoming Webhook Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Incoming Webhook Call"

set trigger-type event-based

set event-type incoming-webhook

next

end

config system automation-stitch

edit "Incoming Webhook Quarantine"

set status disable

set trigger "Incoming Webhook Call"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

License Expired Notification

config system automation-action

edit "License Expired Notification_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_fortiexplorer-notification"

next

end

Reboot

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Security Rating Notification

config system automation-action

edit "Security Rating Notification_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

set report-type posture

next

end

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_fortiexplorer-notification"

next

end

Default automation stitches

The following default automation stitches are included in FortiOS:

  • Compromised Host Quarantine
  • Incoming Webhook Quarantine
  • HA Failover
  • Network Down
  • Reboot
  • FortiAnalyzer Connection Down
  • License Expired Notification
  • Security Rating Notification

To view and edit the automation stitches in the GUI, go to Security Fabric > Automation.

CLI configurations

Compromised Host Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Compromised Host Quarantine"

set trigger-type event-based

set event-type ioc

set ioc-level high

next

end

config system automation-stitch

edit "Compromised Host Quarantine"

set status disable

set trigger "Compromised Host Quarantine"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

FortiAnalyzer Connection Down

config system automation-action

edit "FortiAnalyzer Connection Down_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "FortiAnalyzer Connection Down"

set trigger-type event-based

set event-type event-log

set logid 22902

next

end

config system automation-stitch

edit "FortiAnalyzer Connection Down"

set status enable

set trigger "FortiAnalyzer Connection Down"

set action "FortiAnalyzer Connection Down_fortiexplorer-notification"

next

end

Network Down

config system automation-action

edit "Network Down_email"

set action-type email

set email-from ''

set email-subject "Network Down"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Network Down"

set trigger-type event-based

set event-type event-log

set logid 20099

config fields

edit 1

set name "status"

set value "DOWN"

next

end

next

end

config system automation-stitch

edit "Network Down"

set status disable

set trigger "Network Down"

set action "Network Down_email"

next

end

HA Failover

config system automation-action

edit "HA Failover_email"

set action-type email

set email-from ''

set email-subject "HA Failover"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "HA Failover"

set trigger-type event-based

set event-type ha-failover

next

end

config system automation-stitch

edit "HA Failover"

set status disable

set trigger "HA Failover"

set action "HA Failover_email"

next

end

Incoming Webhook Quarantine

config system automation-action

edit "Compromised Host Quarantine_quarantine"

set action-type quarantine

set minimum-interval 0

set delay 0

set required disable

next

edit "Compromised Host Quarantine_quarantine-forticlient"

set action-type quarantine-forticlient

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Incoming Webhook Call"

set trigger-type event-based

set event-type incoming-webhook

next

end

config system automation-stitch

edit "Incoming Webhook Quarantine"

set status disable

set trigger "Incoming Webhook Call"

set action "Compromised Host Quarantine_quarantine" "Compromised Host Quarantine_quarantine-forticlient"

next

end

License Expired Notification

config system automation-action

edit "License Expired Notification_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "License Expired Notification"

set trigger-type event-based

set event-type license-near-expiry

set license-type any

next

end

config system automation-stitch

edit "License Expired Notification"

set status enable

set trigger "License Expired Notification"

set action "License Expired Notification_fortiexplorer-notification"

next

end

Reboot

config system automation-action

edit "Reboot_email"

set action-type email

set email-from ''

set email-subject "Reboot"

set minimum-interval 0

set delay 0

set required disable

set message "%%log%%"

next

end

config system automation-trigger

edit "Reboot"

set trigger-type event-based

set event-type reboot

next

end

config system automation-stitch

edit "Reboot"

set status disable

set trigger "Reboot"

set action "Reboot_email"

next

end

Security Rating Notification

config system automation-action

edit "Security Rating Notification_fortiexplorer-notification"

set action-type fortiexplorer-notification

set minimum-interval 0

set delay 0

set required disable

next

end

config system automation-trigger

edit "Security Rating Notification"

set trigger-type event-based

set event-type security-rating-summary

set report-type posture

next

end

config system automation-stitch

edit "Security Rating Notification"

set status enable

set trigger "Security Rating Notification"

set action "Security Rating Notification_fortiexplorer-notification"

next

end